Analysis Overview
SHA256
d0fa2f18181e55b5f55e02e7b65759ceea3710db0a003a336968e205d808c2f5
Threat Level: Shows suspicious behavior
The file dc3372438fc7fc937515502a43c267f8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Checks computer location settings
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 17:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 17:26
Reported
2024-03-21 17:29
Platform
win7-20240221-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\googlece.dll | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\googlece.dll | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| File created | C:\Windows\SysWOW64\sys.dat | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2476 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2476 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2476 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2476 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe
"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sys.bat
Network
Files
memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2476-6-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sys.bat
| MD5 | 2c395208e1b09d968e92510f1e9e0b4d |
| SHA1 | 78854688ebd2b36b92a74911e586ac5dc259c829 |
| SHA256 | 49b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109 |
| SHA512 | 3e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 17:26
Reported
2024-03-21 17:29
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sys.dat | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| File created | C:\Windows\SysWOW64\googlece.dll | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\googlece.dll | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3228 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3228 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3228 wrote to memory of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe
"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sys.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.209:80 | tcp |
Files
memory/3228-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3228-6-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sys.bat
| MD5 | 2c395208e1b09d968e92510f1e9e0b4d |
| SHA1 | 78854688ebd2b36b92a74911e586ac5dc259c829 |
| SHA256 | 49b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109 |
| SHA512 | 3e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2 |